Addressing false positive with strncpy.

2025-12-17 01:03:14 +01:00 · 2024-08-08 15:08:53 -04:00
parent 9105375097
commit abd0a076a8
3 changed files with 25 additions and 17 deletions
--- a/cpp/ql/lib/semmle/code/cpp/security/BufferAccess.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/BufferAccess.qll
@@ -125,10 +125,11 @@ class StrncpyBA extends BufferAccess {
    result = this.(FunctionCall).getArgument(0) and
    bufferDesc = "destination buffer" and
    accessType = 2
-    or
-    result = this.(FunctionCall).getArgument(1) and
-    bufferDesc = "source buffer" and
-    accessType = 2
+    // Ignore this case as reading past the source null terminator is not the behavior of strncpy
+    // or
+    // result = this.(FunctionCall).getArgument(1) and
+    // bufferDesc = "source buffer" and
+    // accessType = 2
  }

  override Expr getSizeExpr() { result = this.(FunctionCall).getArgument(2) }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
@@ -31,9 +31,9 @@ edges
 | main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance |  |
 | main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | **argv | provenance |  |
 | main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | *argv | provenance |  |
-| main.cpp:10:20:10:23 | **argv | tests.cpp:657:32:657:35 | **argv | provenance |  |
-| main.cpp:10:20:10:23 | *argv | tests.cpp:657:32:657:35 | **argv | provenance |  |
-| main.cpp:10:20:10:23 | *argv | tests.cpp:657:32:657:35 | *argv | provenance |  |
+| main.cpp:10:20:10:23 | **argv | tests.cpp:664:32:664:35 | **argv | provenance |  |
+| main.cpp:10:20:10:23 | *argv | tests.cpp:664:32:664:35 | **argv | provenance |  |
+| main.cpp:10:20:10:23 | *argv | tests.cpp:664:32:664:35 | *argv | provenance |  |
 | overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance |  |
 | overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | *argv | provenance |  |
 | test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | provenance |  |
@@ -46,12 +46,12 @@ edges
 | tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:14:628:19 | *home | provenance |  |
 | tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:16:628:19 | *home | provenance |  |
 | tests.cpp:628:16:628:19 | *home | tests.cpp:628:14:628:19 | *home | provenance |  |
-| tests.cpp:657:32:657:35 | **argv | tests.cpp:682:9:682:15 | *access to array | provenance |  |
-| tests.cpp:657:32:657:35 | **argv | tests.cpp:683:9:683:15 | *access to array | provenance |  |
-| tests.cpp:657:32:657:35 | *argv | tests.cpp:682:9:682:15 | *access to array | provenance |  |
-| tests.cpp:657:32:657:35 | *argv | tests.cpp:683:9:683:15 | *access to array | provenance |  |
-| tests.cpp:682:9:682:15 | *access to array | tests.cpp:613:19:613:24 | *source | provenance |  |
-| tests.cpp:683:9:683:15 | *access to array | tests.cpp:622:19:622:24 | *source | provenance |  |
+| tests.cpp:664:32:664:35 | **argv | tests.cpp:689:9:689:15 | *access to array | provenance |  |
+| tests.cpp:664:32:664:35 | **argv | tests.cpp:690:9:690:15 | *access to array | provenance |  |
+| tests.cpp:664:32:664:35 | *argv | tests.cpp:689:9:689:15 | *access to array | provenance |  |
+| tests.cpp:664:32:664:35 | *argv | tests.cpp:690:9:690:15 | *access to array | provenance |  |
+| tests.cpp:689:9:689:15 | *access to array | tests.cpp:613:19:613:24 | *source | provenance |  |
+| tests.cpp:690:9:690:15 | *access to array | tests.cpp:622:19:622:24 | *source | provenance |  |
 | tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | provenance |  |
 | tests_restrict.c:15:41:15:44 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance |  |
 nodes
@@ -85,10 +85,10 @@ nodes
 | tests.cpp:628:14:628:14 | *s [*home] | semmle.label | *s [*home] |
 | tests.cpp:628:14:628:19 | *home | semmle.label | *home |
 | tests.cpp:628:16:628:19 | *home | semmle.label | *home |
-| tests.cpp:657:32:657:35 | **argv | semmle.label | **argv |
-| tests.cpp:657:32:657:35 | *argv | semmle.label | *argv |
-| tests.cpp:682:9:682:15 | *access to array | semmle.label | *access to array |
-| tests.cpp:683:9:683:15 | *access to array | semmle.label | *access to array |
+| tests.cpp:664:32:664:35 | **argv | semmle.label | **argv |
+| tests.cpp:664:32:664:35 | *argv | semmle.label | *argv |
+| tests.cpp:689:9:689:15 | *access to array | semmle.label | *access to array |
+| tests.cpp:690:9:690:15 | *access to array | semmle.label | *access to array |
 | tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
 | tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
 | tests_restrict.c:15:41:15:44 | *argv | semmle.label | *argv |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
@@ -654,6 +654,13 @@ void test26(bool cond)
 	if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[1]
 }

+void test27(){
+	char *src = "";
+	char *dest = "abcdefgh";
+
+	strncpy(dest, src, strlen(dest)); // GOOD, strncpy will not read past null terminator of source
+}
+
 int tests_main(int argc, char *argv[])
 {
 	long long arr17[19];